Data breaches are persistent threats, and news reports of breaches of individual information and at companies across an array of sectors are seemingly nonstop. While network and information technology specialists work to identify and respond to incidents that compromise data security, companies' insurance professionals must provide notice to the relevant insurance companies. Insurers, however, frequently deny coverage and institute declaratory judgment actions to avoid liability.
HACKER ATTACKS
A recent, high-profile legal dispute between Sony Corporation of America (and some of Sony's affiliated companies) and Zurich American Insurance Company over data breach liability claims highlights the challenges companies confront to secure coverage for expenses related to cyber-risks. See Zurich American Insurance Company v. Sony Corporation of America, No. 651982/2011 (N.Y. Sup. July 20, 2011).
Zurich sued Sony on July 20, 2011, in New York state court over coverage for Sony's insurance claim arising from hackers' theft of users' personal data in a series of attacks at Sony's PlayStation Network, Sony Entertainment Online, and Sony Pictures. The attacks allegedly caused unauthorized access to and theft of nearly 100 million people's account data, and compromised more than 12 million credit and debit cards. They resulted in at least 55 putative class actions against Sony in the United States and another three class action lawsuits in Canada. The class actions seek both statutory and common law relief.
Zurich's complaint seeks to absolve Zurich of any responsibility to defend or indemnify Sony for the claims asserted in the class action complaints and "miscellaneous claims" arising from the data breaches. According to Zurich's complaint, the primary and excess general liability policies it issued to Sony Computer Entertainment America (one of the defendants named in Zurich's complaint) covers only "bodily injury," "property damage," and "personal injury and advertising injury" caused by occurrences other than the kind of cyber-attacks alleged in the class actions. Further, Zurich's complaint alleges that even if claims for "bodily injury," "property damage," and/or "personal injury and advertising injury" were alleged, in the class actions, "certain exclusions" (none of which Zurich specifically identified) preclude coverage.
The cyber-attacks on Sony's PlayStation Network that are the subject of the Zurich-Sony coverage battle are only examples in a string of high-level hacker incidents -- from WikiLeaks to Rupert Murdoch. Indeed, on Aug. 10, 2011, Citigroup confirmed that, in what was the second breach within the group in the last four months, hackers had stolen and sold personal information of more than 92,000 customers of Citi Cards Japan. One message is clear: Companies need to deal with the reality of hacker attacks, security breaches, and malware as increasingly common business threats. Insurance coverage should be among the first lines of defense.
'PRIVACY' AND GENERAL LIABILITY
When companies think of general liability insurance, they think most frequently of coverage for third-party property damage and bodily injury claims. But general liability policies also include personal and advertising injury coverage, which incorporates coverage for invasion of privacy claims. A typical invasion of privacy provision provides coverage for oral or written publication, in any manner, of material that violates a person's right of privacy. As Zurich v. Sony illustrates, whether unauthorized release of personal information through hacker attacks is covered by the "invasion of privacy" coverage of a general liability policy is frequently front and center in battles for insurance coverage in data breach incidents.
Battles over invasion of privacy coverage have been heavily litigated in the context of blast faxes and data-sharing claims. In cases such as those, the key issue was typically the requirement of "publication" -- whether the activities at issue constituted "publication" of information. Some courts held that two strands of privacy exist: the right to secrecy, and the right to seclusion. These courts generally found use of the term "publication" in a coverage grant to mean that the general liability policy's invasion of privacy coverage applied only to an invasion of the right to secrecy, i.e., the risk that third parties will learn about a person's personal information. These courts denied coverage for blast fax claims accordingly.
Such cases notwithstanding, favorable decisions exist for policyholders. For example, courts have rejected insurers' arguments as regards triggering coverage for invasion of privacy claims "that in order to constitute a publication, the information that violates the right to privacy must be divulged to a third party." Zurich Am. Ins. Co. v. Fieldstone Mortgage Co., No. CCB-06-2055, 2007 U.S. Dist. LEXIS 81570, *14 (D. Md. Oct. 26, 2007) ("Of the circuits to examine 'publication' in the context of an 'advertising injury' provision, the majority have found that the publication need not be to a third party'"). See also Netscape Commc'ns Corp. v. Fed. Ins. Co., No. CV-08-15120, 2009 U.S. App. LEXIS 19500 (9th Cir. Aug. 27, 2009) (interception and internal distribution of private data meets personal injury coverage for purposes of duty to defend).
At least one court has held that communication of information from one employee to another at the same company satisfies the publication requirement. See Netscape Commc'ns Corp., 2009 U.S. App. LEXIS 19500. In short, to trigger this coverage, "publication" does not require public dissemination. Once the hacker has the data, it has been published.
"Publication" should not be an issue in these cases in any event. Indeed, the crux of the claim by an individual whose personal information has been compromised by a hacker is that their privacy has been invaded. Such allegations should trigger the invasion of privacy coverage in standard general liability policies. Companies should review their policies, because some policies have language that is somewhat different and minor differences can have a major impact on a coverage claim.
Other coverage issues may also exist. For example, insurance policies usually do not provide coverage for payments voluntarily made by policyholders, rather requiring a legal obligation on the part of an insured to pay damages. This raises two key issues. First, companies often respond proactively to a data breach, reaching out to customers or users whose personal information has been compromised and offer, for example, free credit reporting. Insurers often question whether such efforts are covered.
Second, general liability policies are designed to pay when the policyholder pays damages, which has been broadly construed by most courts to include any payment of money. In the wake of a data breach, however, companies frequently offer non-monetary relief, such as credit reporting or store coupons. Coverage for such relief and the expenses related to it has yet to be tested in the courts.
Finally, in response to coverage for claims arising out of blast faxes, insurance companies added a variety of new exclusions to policies that might apply. The first such exclusion simply applied to liability under the federal Telephone Consumer Protection Act of 1991, 47 U.S.C. §227, and similar state statutes. Other insurers introduced broader exclusions for liability arising from statutes involving data transmission, such as the CAN-SPAM Act of 2003, 15 U.S.C. 7701, et seq. At least one insurer has added an exclusion for any statutory liability relating to the transmission of information.
CONCLUSION
As hacker attacks and data and security breaches proliferate and take new shape, so too do the accompanying risks. When a company becomes aware that it has been subject to a data breach, it should immediately place its general liability insurer on notice and investigate coverage under that policy.
Companies should also closely examine their insurance portfolio, and prepare to provide notice and engage in the claims process with their insurers. Many policyholders that have done so -- for example, in the context of coverage for blast faxes and for security breaches alleged in Fieldstone Mortgage Company and Netscape Communications -- have secured coverage. Companies should never accept an insurance company's coverage denial as final. Rather, they should perform their own insurance analysis and be prepared to pursue coverage, if appropriate.
Joseph D. Jean is a member of Lowenstein Sandler. Rachel M. Wrightson is counsel at the firm. They are based in the New York office and can be reached at jjean@lowenstein.com and rwrightson@lowenstein.com.
Subscribe to New York Law Journal
